From dcd2def061c35bfbf5f0a996464057b033045a59 Mon Sep 17 00:00:00 2001 From: Frances Wingerter Date: Fri, 12 Aug 2022 12:55:25 -0400 Subject: [PATCH] add (failing) test of cross-compartment TLS accesses --- header-rewriter/tests/CMakeLists.txt | 1 + .../tests/tls_protected/CMakeLists.txt | 27 ++++++++++++++ .../Output/tls_protected_lib.insecure.out | 2 + .../Output/tls_protected_lib.out | 3 ++ .../Output/tls_protected_main.insecure.out | 2 + .../Output/tls_protected_main.out | 3 ++ .../tests/tls_protected/include/library.h | 19 ++++++++++ header-rewriter/tests/tls_protected/library.c | 15 ++++++++ header-rewriter/tests/tls_protected/main.c | 37 +++++++++++++++++++ 9 files changed, 109 insertions(+) create mode 100644 header-rewriter/tests/tls_protected/CMakeLists.txt create mode 100644 header-rewriter/tests/tls_protected/Output/tls_protected_lib.insecure.out create mode 100644 header-rewriter/tests/tls_protected/Output/tls_protected_lib.out create mode 100644 header-rewriter/tests/tls_protected/Output/tls_protected_main.insecure.out create mode 100644 header-rewriter/tests/tls_protected/Output/tls_protected_main.out create mode 100644 header-rewriter/tests/tls_protected/include/library.h create mode 100644 header-rewriter/tests/tls_protected/library.c create mode 100644 header-rewriter/tests/tls_protected/main.c diff --git a/header-rewriter/tests/CMakeLists.txt b/header-rewriter/tests/CMakeLists.txt index 7e48335822..e0f941dc1e 100644 --- a/header-rewriter/tests/CMakeLists.txt +++ b/header-rewriter/tests/CMakeLists.txt @@ -44,3 +44,4 @@ add_subdirectory(two_keys_minimal) add_subdirectory(two_shared_ranges) add_subdirectory(global_fn_ptr) add_subdirectory(read_config) +add_subdirectory(tls_protected) diff --git a/header-rewriter/tests/tls_protected/CMakeLists.txt b/header-rewriter/tests/tls_protected/CMakeLists.txt new file mode 100644 index 0000000000..f5a207ed46 --- /dev/null +++ b/header-rewriter/tests/tls_protected/CMakeLists.txt @@ -0,0 +1,27 @@ +if(LIBIA2_INSECURE) + set(MAIN_STDOUT_REF ${CMAKE_CURRENT_SOURCE_DIR}/Output/tls_protected_main.insecure.out) + set(LIB_STDOUT_REF ${CMAKE_CURRENT_SOURCE_DIR}/Output/tls_protected_lib.insecure.out) +else() + set(MAIN_STDOUT_REF ${CMAKE_CURRENT_SOURCE_DIR}/Output/tls_protected_main.out) + set(LIB_STDOUT_REF ${CMAKE_CURRENT_SOURCE_DIR}/Output/tls_protected_lib.out) +endif() +configure_file(${MAIN_STDOUT_REF} ${CMAKE_CURRENT_BINARY_DIR}) +configure_file(${LIB_STDOUT_REF} ${CMAKE_CURRENT_BINARY_DIR}) + +set(HEADERS library.h) + +# Build the wrapper lib +define_ia2_wrapper( + HEADERS ${HEADERS} + CALLER_PKEY 1 +) + +# Build the wrapped lib +define_shared_lib( + SRCS library.c +) + +# Build the test +define_test( + SRCS main.c +) diff --git a/header-rewriter/tests/tls_protected/Output/tls_protected_lib.insecure.out b/header-rewriter/tests/tls_protected/Output/tls_protected_lib.insecure.out new file mode 100644 index 0000000000..dffb68d58c --- /dev/null +++ b/header-rewriter/tests/tls_protected/Output/tls_protected_lib.insecure.out @@ -0,0 +1,2 @@ +TRUSTED: the secret is deadbeef +CHECK_VIOLATION: did not seg fault as expected diff --git a/header-rewriter/tests/tls_protected/Output/tls_protected_lib.out b/header-rewriter/tests/tls_protected/Output/tls_protected_lib.out new file mode 100644 index 0000000000..08561612f1 --- /dev/null +++ b/header-rewriter/tests/tls_protected/Output/tls_protected_lib.out @@ -0,0 +1,3 @@ +main: main secret is deadbeef +library: lib secret is 1eaf1e55 +CHECK_VIOLATION: seg faulted as expected diff --git a/header-rewriter/tests/tls_protected/Output/tls_protected_main.insecure.out b/header-rewriter/tests/tls_protected/Output/tls_protected_main.insecure.out new file mode 100644 index 0000000000..dffb68d58c --- /dev/null +++ b/header-rewriter/tests/tls_protected/Output/tls_protected_main.insecure.out @@ -0,0 +1,2 @@ +TRUSTED: the secret is deadbeef +CHECK_VIOLATION: did not seg fault as expected diff --git a/header-rewriter/tests/tls_protected/Output/tls_protected_main.out b/header-rewriter/tests/tls_protected/Output/tls_protected_main.out new file mode 100644 index 0000000000..08561612f1 --- /dev/null +++ b/header-rewriter/tests/tls_protected/Output/tls_protected_main.out @@ -0,0 +1,3 @@ +main: main secret is deadbeef +library: lib secret is 1eaf1e55 +CHECK_VIOLATION: seg faulted as expected diff --git a/header-rewriter/tests/tls_protected/include/library.h b/header-rewriter/tests/tls_protected/include/library.h new file mode 100644 index 0000000000..7e01651a0a --- /dev/null +++ b/header-rewriter/tests/tls_protected/include/library.h @@ -0,0 +1,19 @@ +/* +RUN: cp %s %t.h +RUN: ia2-header-rewriter %T/wrapper.c %t.h -- -I%resource_dir +RUN: cat %t.h | sed 's/^.*CHECK.*$//' | FileCheck %s +RUN: %binary_dir/tests/tls_protected/tls_protected-main | diff %binary_dir/tests/tls_protected/tls_protected_main.out - +RUN: %binary_dir/tests/tls_protected/tls_protected-main print_lib_secret | diff %binary_dir/tests/tls_protected/tls_protected_lib.out - +*/ +#pragma once +#include +#include + +thread_local extern uint32_t main_secret; +thread_local extern uint32_t lib_secret; + +// CHECK: IA2_WRAP_FUNCTION(lib_print_main_secret); +void lib_print_main_secret(); + +// CHECK: IA2_WRAP_FUNCTION(lib_print_lib_secret); +void lib_print_lib_secret(); diff --git a/header-rewriter/tests/tls_protected/library.c b/header-rewriter/tests/tls_protected/library.c new file mode 100644 index 0000000000..07897dd514 --- /dev/null +++ b/header-rewriter/tests/tls_protected/library.c @@ -0,0 +1,15 @@ +#include "library.h" +#include "test_fault_handler.h" +#include +#include +#include + +thread_local uint32_t lib_secret = 0x1eaf1e55; + +void lib_print_main_secret() { + printf("library: main secret is %x\n", CHECK_VIOLATION(main_secret)); +} + +void lib_print_lib_secret() { + printf("library: lib secret is %x\n", lib_secret); +} diff --git a/header-rewriter/tests/tls_protected/main.c b/header-rewriter/tests/tls_protected/main.c new file mode 100644 index 0000000000..c6572f58b7 --- /dev/null +++ b/header-rewriter/tests/tls_protected/main.c @@ -0,0 +1,37 @@ +#include +#include +#include +#include +#include +#include +#define IA2_DEFINE_TEST_HANDLER +#include "test_fault_handler.h" +#include + +INIT_RUNTIME(1); +INIT_COMPARTMENT(1); + +thread_local uint32_t main_secret = 0xdeadbeef; + +// This tests that mpk violations call the signal handler in +// test_fault_handler.h and print the appropriate message if the +// segfault occurred in one of the CHECK_VIOLATION expressions. Passing in any +// argument raises a segfault early to test that a violation outside a +// CHECK_VIOLATION prints a different message. +int main(int argc, char **argv) { + // Access to thread-local from the same compartment should work. + printf("main: main secret is %x\n", main_secret); + lib_print_lib_secret(); + + // If we have an argument, test the "main accessing lib" direction; + // otherwise test the "lib accessing main" direction. Both should + // exit with an MPK violation. + bool access_lib_secret = argc > 1; + + // Perform forbidden access. + if (access_lib_secret) { + printf("main: lib secret is %x\n", CHECK_VIOLATION(lib_secret)); + } else { + lib_print_main_secret(); + } +}